Canada's privacy laws inadequate for digital age, watchdog says
Fines for breaking law, mandatory data breach reporting recommended
Canadians' trust in the digital economy is at risk because our laws don't have enough teeth to compel companies to protect consumers' privacy, Canada's privacy commissioner says.
"It is increasingly clear that the law is not up to the task of meeting the challenges of today – and certainly not those of tomorrow," Jennifer Stoddart said Thursday when she released a report recommending changes to Canadian privacy legislation governing the private sector.
"The legislation lacks mechanisms strong enough to ensure organizations invest appropriately in privacy. As a result, consumer trust in the digital economy is at risk."
Speaking to members of the International Association of Privacy Professionals at their annual Canada Privacy Symposium, where she released her position paper, Stoddart noted that technological advances have massively expanded the scale of personal information that organizations can collect, store and use as they create new products and services. Sometimes, she added, that occurs in ways that are intrusive, or without the genuine consent of the individuals that the personal information belongs to.
Stoddart has previously complained that many companies, such as social media websites, routinely ignore Canadian privacy laws.
She said Thursday that other countries have already made changes to their privacy laws to address the challenges posed by new technology and it is important that Canadian legislation "evolve to keep up with the rest of the world."
In order to address such issues, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) must be beefed up to include stronger enforcement, she added.
"Right now, the only real power I have is to name [companies that break the law]," she said. "This provides Canadians with information about where they may — or may not — wish to take their business. But how can Canadians vote with their feet when increasing amounts of their personal information are being held by fewer and fewer organizations?"
Stoddart's paper recommends expanding enforcement powers under the law to allow for:
- Financial penalties such as compensation for damages, administered by the Federal Court or fines imposed by the privacy commissioner.
- The privacy commissioner to make orders that companies must comply with.
- Currently, the privacy commissioner can recommend actions companies can take to comply with privacy legislation, but would need to go to Federal Court to get an enforceable order.
Stoddart also recommends measures to boosting transparency and accountability of companies that gather, store and use Canadians' personal information by requiring companies to:
- Notify both the privacy commissioner and affected individuals in the case of a privacy breach.
- Publicly report the number of disclosures of Canadians' personal information they have made to law enforcement agencies and government institutions. PIPEDA allows law enforcement and government agencies to obtain this information without consent.
- Be accountable for their commitments to improve privacy practices, following an investigation or audit, by being required to demonstrate compliance within a set time period or face consequences.
Voluntary privacy breach reporting 'unacceptable'
In the case of privacy breaches, organizations can currently report breaches voluntarily, but don't have to, a situation that Stoddart called "unacceptable" and "unfair." She noted that organizations that do report breaches often suffer damage to their reputation and costs associated with fixing the problem. "Meanwhile, those that do not report may escape with no negative effects on their reputation or bottom line."
Stoddart has been calling for similar changes for years, but so far the government has not committed to updating PIPEDA.